Month: June 2013

In this series of the Professionally Evil Toolkit we will be talking about sqlmap. Sqlmap is an open source penetration testing tool that is written in python. Sqlmap automates the process of detecting/exploiting SQL injection flaws and taking over of database servers. As you might know, SQL injection is ranked number one on the OWASP …

This post is the first in a series on Getting Started with information security tools. For more posts in this series, check out the Getting Started label on this post. BeEF, the Browser Exploitation Framework, is a testing tool designed to enable penetration testers to launch client-side attacks against target browsers. By using techniques similar …

Secure Ideas spends a lot of time working with organizations both large and small. And during this work, we deal with and help people trying to figure out what the threats and risks are in the wild today. For larger companies, this exercise is something they deal with often, but smaller organizations may not …

This post picks up on my last about creating and authorizing an internal certificate authority. We are going to shift gears a bit and start looking at how to use this newfound infrastructure. There are tons of tutorials online about how to create a certificate signing request (CSR) using IIS on Windows. However, there are …

In this series of posts we’re introducing staff members at Secure Ideas to give you a quick glimpse into our lives. The goal of these posts is for you to learn more about us. So reach out to us via email or twitter. We’d love to get to know you. Who am I: Jeff Bleich, …

If you have been glancing at many news stories this year, you have certainly seen the large number of data breaches that have occurred. Even just today, we are seeing reports that Drupal.org suffered from a breach (https://drupal.org/news/130529SecurityUpdate) that shows unauthorized access to hashed passwords, usernames, and email addresses. Note that this is not a …

In this post, I wanted to give something directly to the Blue Teams out there. I also thought I would call us out a bit for sending mixed messages to our users. All too often we find internal websites using invalid SSL certificates when we are on an engagement. Almost every user awareness document or …

So I just got back from the SANS Mobile Security Summit where I was the chair. The event was a blast and even though I am biased, I think that we had a number of great speakers. This was the second annual summit and I am already looking forward to next years! Now lets review …